IN THE CLAIMS 

Please amend claims 1, 8, 15 and 19 as follows: 

1 . (Currently Amended) Authentication method for telecommunication networks, 
especially for IP networks, in accordance with which method the identity of a subscriber 
attached to the network is authenticated, 
characterized by: 

in a network terminal, using a subscriber identity module essentially of the same 
kind as in a known mobile communications system, which identity module is such that a 
response is obtained as a result of a challenge given to it as input, 

using a special security server in the network so that when a terminal attaches to 
the network, a message of a new user is transmitted to the security server, 

fetching subscriber authentication information corresponding to the new user from 
the mobile communications system to the network, which authentication information 
contains at least a challenge and a response, wherein after the response to the challenge is 
generated by the network terminal, the challenge is stored on the network terminal to 
ensure that the challenge is used once, and 

performing authentication based on the authentication information obtained from 
the mobile communications system by transmitting the challenge to the terminal through 
the network, by checking that the challenging is unique from challenges used in previous 
authentication exchanges, by generating, if the challenge is unique and is not stored on 
the network terminal the response from the challenge in the identity module of the 



terminal and by comparing the response with the response received from the mobile 
communications system. 

2. (Previously Presented) Method as defined in claim 1, characterized in that fetching of 
the subscribers authentication information from the mobile communications system is 
started from the security server in response to the message. 

3. (Original) Method as defined in claim 1, characterized in that in response to a 
successful authentication, registration of the subscriber is performed as a client of a 
separate key management system. 

4. (Previously Presented) Method as defined in claim 3, characterized in that a known 
Kerberos system is used as the key management system. 

5. (Previously Presented) Method as defined in claim 4, characterized in that the 
subscriber-specific authentication information obtained from the mobile communications 
system also includes a key, whereby the subscriber is registered as a client of the 
Kerberos system so that the key is registered (a) as the clients password and (b) as a 
password for a service formed for the clients IP address or for a subscriber identity used 
in the mobile communications system. 



6. (Previously Presented) Method as defined in claim 1, characterized in that the 
subscribers authentication information is fetched with the aid of a separate proxy server, 
which functions as a network element emulating a visitor location register of the mobile 
communications system and which requests the authentication information from an 
authentication center located in connection with a subscribers home location register in 
the same way as the mobile communications system's own visitor location register. 

7. (Previously Presented) Method as defined in claim 1, characterized in that the 
subscribers authentication information is fetched with the aid of a separate proxy server, 
which functions as a network element emulating the mobile communications system's 
base station controller and which is in connection with the mobile communications 
system's mobile switching centre for fetching the authentication information from an 
authentication center located in connection with a subscribers home location register in 
the same way as the authentication information is fetched to the mobile communications 
system's own base station controller. 

8. (Currently Amended) Authentication system for telecommunications networks, 
especially for IP networks, which system includes authentication means for 
authenticating the identity of a subscriber who has attached to the network, 

characterized in that the authentication means includes: 

a subscriber identity module connected to the network's terminal, the 
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module being essentially similar to the subscriber identity module used in a separate 
mobile communications system, whereby a response can be determined from a challenge 
given to the identity module as input, 

messaging means for sending a message when a terminal attaches to the 

network, 

a special security server for receiving the message, 

means for requesting authentication information corresponding to a 
subscriber from the mobile communications system, which information contains at least a 
challenge and a response, wherein after the response to the challenge is generated by the 
network terminal the challenge is stored on the network terminal to ensure that the 
challenge is used once, and 

on the side of the network, data transmission and checking means for 
transmitting the challenge through the network to the identity module and for checking 
that the challenge is unique from challenges used in previous authentication exchanges, 
for returning the response from the terminal to the network, if the challenge is unique and 
is not stored on the network terminal , and for comparing the received response with the 
response received from the mobile communications system. 

9. (Previously Presented) System as defined in claim 8,characterized in that the identity 
module is the subscriber identity module used in the GSM network. 



10. (Previously Presented) System as defined in claim 8, characterized in that the 
messaging means are adapted into a home agent in accordance with the mobile IP 
network. 

1 1 . (Previously Presented) System as defined in claim 8,characterized in that the means 
for requesting authentication information include the said security server and a proxy 
server, which is connected to the GSM network. 

12. (Previously Presented) System as defined in claim 11, characterized in that the proxy 
server functions as a network element emulating the visitor location register of the GSM 
network. 

13. (Previously Presented) System as defined in claim 1 1, characterized in that the proxy 
server functions as a network element emulating the base station controller of the GSM 
network. 

14. (Previously Presented) System as defined in claim 1 1, characterized in that the system 
further includes a Kerberos server which is known as such and as the user of which the 
subscriber will be registered as a result of a successful authentication. 

15. (Currently Amended) Authentication method for telecommunications networks, 
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especially for IP networks, in accordance with which method the identity of a subscriber 
attached to the network is authenticated, 
characterized byi 

in a network terminal, using a subscriber identity module essentially similar 
to the one used in a known mobile communications system, which identity module is 
such that a response is obtained as a result of a challenge given to it as input, 

storing subscriber-specific authentication information in a database, the 
information being in that way essentially similar to the information used for 
authentication in the mobile communications system that it contains at least a challenge 
and a response, wherein after the response to the challenge is generated by the network 
terminal, the challenge is stored on the network terminal to ensure that the challenge is 
used once. 

using a special security server in the network so that when a terminal 
attaches to the network, a message about the new user is transmitted to the security 
server, 

in response to the message, retrieving authentication information of the 
subscriber corresponding to the new user from the database, and 

performing authentication based on the authentication information obtained 
from the database by transmitting the challenge through the network to the terminal, by 
checking that the challenging is unique from challenges used in previously authentication 
exchanges and is not stored in the network terminal , by generating, if the challenge is 
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unique, a response from the challenge in the identity module of the terminal, and by 
comparing the response with the response obtained from the database. 

16. (Original) Method as defined in claim 15, characterized in that the database is stored 
in connection with the security server. 

17. (Original) Method as defined in claim 15, characterized in that in response to a 
successful authentication, registration of the subscriber is performed as the user of a 
separate key management system. 

18. (Previously Presented) Method as defined in claim 17, characterized in that a known 
Kerberos system is used as the key management system. 

19. (Currently Amended) Authentication system for telecommunications networks, 
especially for IP networks, which system includes authentication means for 
authentication of the identity of a subscriber attached to the network, 

characterized in that the authentication means includes: 

a subscriber identity module, which is connected to a network terminal and 
which is essentially similar to the subscriber identity module used in a separate mobile 
communications system, whereby a response can be determined from the challenge given 
as input to the identity module, 
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messaging means for sending a message when a terminal attaches to the 

network, 

a special security server for receiving the message, 

database means which include a database, wherein subscriber-specific 
authentication information is stored, which is in such a way essentially similar to the 
information used for authentication in the mobile communications system that it includes 
at least a challenge and a response, and retrieval means (SS) for retrieving subscriber- 
specific authentication information from the database in response to the message, wherein 
after the response to the challenge is generated by the network terminal, the challenge is 
stored on the network terminal to ensure that the challenge is used once, and 

on the side of the network, data transmission and checking means for transmitting 
the challenge through the network to the identity module and for checking that the 
challenge is unique from challenges used in previous authentication exchanges, if the 
challenge is unique and is not stored on the network terminaU for retuming the response 
from the terminal to the network, and for comparing the received response with the 
response received from the database. 

20. (Previously Presented) System as defined in claim 19, characterized in that the 
identity module is a subscriber identity module sed in the GSM network. 

21. (Previously Presented) System as defined in claim 19, characterized in that the 
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messaging means are adapted into a home agent in accordance with the mobile IP 
network. 

22. (Previously Presented) System as defined in claim 19, characterized in that the system 
further includes a Kerberos server, which is known as such and as the client of which the 
subscriber is registered as the result of a successful authentication. 
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